CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Cyber Defense a Joint Effort Among Business Partners

When business partners share data or digital processes, a breach of one can affect them all. Close collaboration on cyber incident response can be an essential step toward achieving a mutually effective defense.

A chain is only as strong as its weakest link, and business ecosystems are no exception. A company’s vendors, cloud service providers, and other business partners are all equally subject to today’s increasing cyber risks, and what affects one can affect all.

However, many organizations are not prepared to defend themselves in this joint risk environment. It’s difficult enough to coordinate responses across functions internally, but when a breach extends beyond a company’s borders, the problem can be compounded if cross-organizational defense plans are not in place. The issue is real: Sixty-three percent of breaches reported in recent years were traced to third-party vendors, but only 18 percent of companies even have an inventory of partners with which to begin coordinating response activities. For many organizations, it’s not until a breach occurs that the full extent of their exposure becomes clear; by then, it’s their problem to solve, ready or not.

And the cost can be significant: Even if the breach originates outside the company’s own perimeter, customers won’t likely distinguish the difference, or even care. Instead, many will just think that a company they trusted has failed them. This perception, in turn, can lead to longer-term business and financial impacts, including brand and reputational damage.

A challenge today is for companies to assess how best to protect their businesses while also keeping pace with growing competition in the digitally connected world. A collaborative incident response capability developed jointly and proactively with business allies can be an important tool for achieving that balance.

4 Steps to Get Started

Certain industries, such as financial services, tend to be more advanced in this area, but many are still just laying the groundwork for collaborative incident response. Companies can get started by taking a few essential steps:

Know your allies. It may sound obvious, but frequently a company’s culture is focused primarily on business expansion and not so much on embracing the cybersecurity posture needed to support it. All too often, businesses don’t fully understand the digital landscape beyond their own network, or all the partners with which they share data. An important first step can be for companies to develop an accurate, centralized inventory of all their business partners, including the data and digital connections they share. Understanding those network connections can be a critical part of accurately assessing collective cyber exposure so that partner organizations can begin developing a joint incident response strategy. Once they’ve developed an inventory, companies can begin by holding a cross-organizational workshop that includes key stakeholders and focuses on increasing awareness and achieving a common understanding of the challenges involved.

Establish governance. For mutual resiliency, business partners can better work together by establishing a cross-organizational governance framework focused on driving consensus to achieve mutual security objectives. An incident response charter, signed by respective leadership teams to give it “teeth,” can help outline roles and responsibilities, establish a clear line of communication, drive efficiency, and accelerate decision-making. For example, it might designate leaders from critical business functions and other key cross-functional stakeholders from crisis management, cyber incident response, and business continuity. Within this framework, business partners can confidentially discuss what end-to-end digital processes are most important, which are most likely to be affected by a cyberattack, and what incident response capabilities could best minimize any collective impact.

‘Even if the breach originates outside the company’s own perimeter, customers won’t likely distinguish the difference, or even care.’

It’s often important to consider the broader business implications rather than using just a technology lens in these risk discussions. Core questions the group can explore include: Do we understand our shared risks? When a breach occurs, who is affected within each partner organization? Do we have the mechanisms in place to coordinate? Can we agree on the legal frameworks necessary to work better together?

Organize to win. By understanding each other’s technical capabilities and limitations, business partners can determine what cross-organization capabilities can be leveraged collectively and how their actions can be synchronized to defeat a common adversary. Two specific countermeasures can help:

Create a playbook. Identify a likely cyber incident use case—for example, a breach at a company that shares personally identifiable information or protected health information—and create a cross-organization incident response playbook around this scenario. Useful elements of this playbook can include common incident response terminology, escalation and notification triggers, cross-functional briefing templates for sharing information, and a communication plan to facilitate who should talk to whom and how often.

Plan to share. Second, develop an actionable framework for sharing real-time intelligence during a breach. Ideally, that intelligence can include not just indicators of compromise—artifacts such as virus signatures and IP addresses that signal an intrusion—but also critical success factors that organizations used to contain the incident and mitigate the impact. Ultimately, the goal is a flexible and collaborative set of engagement protocols by which organizations unanimously agree to share information about cyber incidents, actionable threats, vulnerabilities, and successful mitigation strategies. Examples of such protocols could include streamlined processes for approving the release of intelligence outside the organization and options for person-to-person information sharing.

While still evolving in the commercial world, these concepts are not new in the military: In combat, U.S. forces routinely operate jointly, even though they may never have worked together before. That’s made possible by documenting, planning, and training to a common lexicon.

Test it out. Even with the most effective plans and frameworks, no battle plan ever survives contact with the enemy, to paraphrase German military strategist Helmuth von Moltke the Elder. To help make sure collective plans work as intended, business partners can conduct regular cyber war games—immersing themselves in simulated and interactive cyberattack scenarios that enable them to practice collaboration, information sharing, and cross-organization communication. Such simulations are complex to plan, but they can collectively benefit all the participating organizations. When equipped ahead of time with incident response playbooks and protocols for sharing adversary tactics, techniques, and procedures, participants’ response capabilities tend to be even better.

*****

For digitally connected business partners, an attack on one is an attack on all, to borrow the old NATO adage. It may feel unnatural for some organizations to share data and work closely with ecosystem partners, particularly when competitors are involved. However, in today’s business landscape, cybersecurity has become a shared responsibility—like it or not. By planning for a breach, partners can join forces for collective self-defense.

Related Deloitte Insights

A front-row seat at the nexus of security, information, and the economy prepares CIOs to educate others on cybersecurity, says retired Navy Adm. James Stavridis, dean of The Fletcher School of Law and Diplomacy at Tufts University and former supreme allied commander of the NATO Alliance. CIOs’ unique vantage point can help them safely navigate the metaphorical cyber seas.

Cyberattacks have traditionally targeted specific companies or industries, but today’s ransomware is changing the rules, resulting in an increased threat for organizations of all types and sizes. It’s now a business issue with far-reaching effects, and CIOs can help ensure everyone understands the implications.

Ransomware has been around for years, but recent examples such as WannaCry and Petya have elevated the threat. To stay secure, vigilant, and resilient in this new climate, organizations can begin by taking specific actions, starting now.

Editors Choice

Artificial intelligence may be one of the hottest topics in the business world today, but it’s also surrounded by numerous myths. Early adopters surveyed for a new Deloitte study shed some light on the technology’s true potential, including dispelling some of the most persistent misconceptions.

How can CIOs rise to meet the challenges of aligning technology initiatives to business strategy when they are bogged down in the day-to-day details of managing IT operations? Kim Stevenson, SVP and general manager of data center infrastructure at Lenovo, describes four ways CIOs can raise business expectations of IT and increase their influence on business strategy.

CIOs with a bold vision can transform IT operations with emerging technologies and demonstrate to other leaders how to do the same across the enterprise, says Bill Briggs, CTO of Deloitte Consulting LLP. By providing business context that can help their peers understand and evaluate technology’s potential, CIOs can help drive enterprisewide business transformation.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more